Hi, presuming you have joined MWG to your domain and authentication is working correctly, simply create a rule (perhaps under URL filtering) that uses critieria of Property = authentication.usergroups, operator = contains and operand = use a value string of the group name.

As an example:

Block users in student group access to urls categorised as Drugs.... ;-)

One thing I'll add here is something I learned by doing.... not all things you'd think of as AD groups are created equal.

The only AD groups the web gateway seems to "see" are security groups. Things defined as distribution lists, for instance... are a non-starter for use on the web gateway.

If your view of various AD groups is most familiar via looking through Outlook addressbooks and the like, outlook doesn't tell you any differences, but the web gateway does.

To see what groups a given user is in, if you have that users id and password, click into your authentication rule, and the definition of the call to Authentication.Authenticate. In that edit settings window that results, hidden under teh settings content: sub-pane, under "Authentication Method" you'll see a drop down arrow for "Authentication Test" Click that drop down arrow and you can specify a user and password, click the authenticate user buttonand in the "Test Result" field, you'll see what groups the MWG thinks that user could be a part of.

This is helpful in separating security groups from distribution lists.

I'd LOVE to have someone give me an equivalent linux ldapsearch command line to reconstruct the ldap query this Authentication Test is doing here.

Re your point on distribution and security groups...I don't mean to be picky but in AD there are essentially two types of groups - security and distribution - so they are not 'equal' by design.

You can't use distribution groups as security groups in AD as they do not have security descriptors thus no way of authenticating. You can mail-enable a security group but that's not (technically) a distribution group....

So it's not just MWG that will not see distribution groups (for security purposes) but any app/ function that uses security groups e.g NTFS/ shares/ sharepoint etc etc

My advice is to never use Outlook as a basis for finding a user's group membership as you will only see mail relevant objects. If you want to see a user's (security) group membership then either use ADUC/ powershell or from windows cmd line:

net user <usernam> /dom

If you *really* want to use linux ldap then google is your friend :-) tho it seems to me a rather complicated way of going about getting group membership when there are easier alternatives!

Thanks for the input. I guess I didn't elaborate enough on what my thoughts were and what I was attempting to do.

I am able to use the domain group names in rules, however is there a way to populate/pull/pick the actual AD groups from within the web gateway. At this point in time I have to type the names in manually or copy/paste the group names into the rule.

Coming from SmartFilter I was able to choose the AD group names from a list that was pulled from AD.

I am trying to build a rule that will allow only those workstations that have Google Chrome installed perform updates to Chrome. I want the desktop group to be able to add workstations to this group in AD and those workstations be able to get out for the updates.

Thanks for the clarification about the AD goodies. It makes my anecdotal pains in the butt trying to use different ... what people experience as "groups"... in DLP and MWG clearer. In the orgs I've worked with, AD administration is in a separate group than security engineering.

'Google is your friend' made me laugh of course, having googled on the subject at least an hour trying different incantations and consulting AD admins. If you can point out ldap syntax for giving what net user <usernam> /dom does and where I missed it, I'm all ears. It's likely what the linux based mwg is doing under the covers. Do you know the field names or descriptors for the attributes that distinguish a distribution list and a security group?

At any rate, having a net user command that does it quickly is as you say quite a bit easier. (Once you're aware of it). 8-P

Thanks for the input. I guess I didn't elaborate enough on what my thoughts were and what I was attempting to do.

I am able to use the domain group names in rules, however is there a way to populate/pull/pick the actual AD groups from within the web gateway. At this point in time I have to type the names in manually or copy/paste the group names into the rule.

Coming from SmartFilter I was able to choose the AD group names from a list that was pulled from AD.

I am trying to build a rule that will allow only those workstations that have Google Chrome installed perform updates to Chrome. I want the desktop group to be able to add workstations to this group in AD and those workstations be able to get out for the updates.

Is there any reason you couldn't -- instead of relying on desktop group to back annotate an AD security group based on software inventory -- directly determine what workstations have Chrome on them by looking ath the user agent string header in the request? Granted that can be spoofed, but I'm not sure why anyone who didn't have Chrome installed would want to try to get Chrome updates anyway? Or is there another piece to the puzzle?

Regardless, your gripe about not having AD groups to pick from a pick list is duly noted. It doesn't exist today in MWG to my knowledge. A product enhancement request would get that requirement to the product manager's attention. Here's how to submit: https://kc.mcafee.com/corporate/index?page=content&id=KB60021 Prepare for some eye rolling as you're mysteriously required to install an activex control from acceptondemand. :-)

If you submit one, plese let us know - I can throw a log on the "yes, this would be helpful and make me more productive in rule creation" fire.

This may not have any relevence to the original question (sorry), but may help in certain situations.

I was able to create a block page that would allow you to enter a username and show the associated groups for that user. This doesnt really help for "in rule" group lookups but maybe it will help as a crutch in the meantime.

The rules I created use LDAP (not NTLM! there is a big difference for AD because the primary group will not be returned with LDAP)..

To use the rules you simply import it, visit the arbitrary domain "getmygroups.com"... and then you are presented with a blockpage to enter the username of interest. This will then set URL parameters that are used in the rules to perform the lookup.

Attached is the ruleset required as well as the blockpage contents (it doesnt get imported with the ruleset so you need to create it!).

If you use this you should modify the Client.IP list as this would be available to anyone who visits that URL (getmygroups.com).